- Recognize that information security breaches are on the rise.
- Understand the potentially damaging impact of security breaches.
- Recognize that information security must be made a top organizational priority.
Sitting in the parking lot of a Minneapolis Marshalls, a hacker armed with a laptop and a telescope-shaped antenna infiltrated the store’s network via an insecure Wi-Fi base station.Particular thanks goes to my Boston College colleague, Professor Sam Ransbotham, whose advice, guidance, and suggestions were invaluable in creating this chapter. Any errors or omissions are entirely my own. The attack launched what would become a billion-dollar-plus nightmare scenario for TJX, the parent of retail chains that include Marshalls, Home Goods, and T. J. Maxx. Over a period of several months, the hacker and his gang stole at least 45.7 million credit and debit card numbers and pilfered driver’s licenses and other private information from an additional 450,000 customers.E. Mills, “Attacks on Sony, Others, Show It’s Open Hacking Season,” CNET, June 8, 2011.
TJX, at the time a $17.5 billion Fortune 500 firm, was left reeling from the incident. The attack deeply damaged the firm’s reputation. It burdened customers and banking partners with the time and cost of reissuing credit cards. And TJX suffered under settlement costs, payouts from court-imposed restitution, legal fees, and more. The firm estimated that it spent more than $150 million to correct security problems and settle with consumers affected by the breach, and that was just the tip of the iceberg. Estimates peg TJX’s overall losses from this incident at between $1.35 billion and $4.5 billion.A. Matwyshyn, Harboring Data: Information Security, Law, and the Corporation (Palo Alto, CA: Stanford University Press, 2009).
A number of factors led to and amplified the severity of the TJX breach. There was a personnel betrayal: the mastermind was an alleged FBI informant who previously helped bring down a massive credit card theft scheme but then double-crossed the Feds and used insider information to help his gang outsmart the law and carry out subsequent hacks.D. Goldman, “Cybercrime: A Secret Underground Economy,” CNNMoney, September 17, 2009. There was a technology lapse: TJX made itself an easy mark by using WEP, a wireless security technology less secure than the stuff many consumers use in their homes—one known for years to be trivially compromised by the kind of “drive-by” hacking initiated by the perpetrators. And there was a procedural gaffe: retailers were in the process of rolling out a security rubric known as the Payment Card Industry Data Security Standard. Despite an industry deadline, however, TJX had requested and received an extension, delaying the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in.K. Voigt, “Analysis: The Hidden Cost of Cybercrime,” CNN, June 6, 2011.
The massive impact of the TJX breach should make it clear that security must be a top organizational priority. Attacks are on the rise. Security firm Symantec reported that in 2010, Web-based security attacks increased 93 percent over the prior year,Synamtec Internet Security Threat Report, Symantec Corporation, April 2011. and the first few months of 2011 saw shocking, high-profile attacks hit at several firms, including Sony, data provider Epsilon, Google, and even security software firm RSA.R. King, “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009. While the examples and scenarios presented here are shocking, the good news is that the vast majority of security breaches can be prevented. Let’s be clear from the start: no text can provide an approach that will guarantee that you’ll be 100 percent secure. And that’s not the goal of this chapter. The issues raised in this brief introduction can, however, help make you aware of vulnerabilities; improve your critical thinking regarding current and future security issues; and help you consider whether a firm has technologies, training, policies, and procedures in place to assess risks, lessen the likelihood of damage, and respond in the event of a breach. A constant vigilance regarding security needs to be part of your individual skill set and a key component in your organization’s culture. An awareness of the threats and approaches discussed in this chapter should help reduce your chance of becoming a victim.
As we examine security issues, we’ll first need to understand what’s happening, who’s doing it, and what their motivation is. We’ll then examine how these breaches are happening with a focus on technologies and procedures. Finally, we’ll sum up with what can be done to minimize the risks of being victimized and quell potential damage of a breach for both the individual and the organization.
- Information security is everyone’s business and needs to be made a top organizational priority.
- Firms suffering a security breach can experience direct financial loss, exposed proprietary information, fines, legal payouts, court costs, damaged reputations, plummeting stock prices, and more.
- Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability.
Questions and Exercises
- The 2011 data theft at database firm Epsilon impacted a number of the firm’s clients, including Best Buy, Capital One, Citi, the Home Shopping Network, JP Morgan Chase, Kroger, Walgreens, and the College Board. Were you impacted by this breach (or any other)? How did you find out about the breach? Did you take action as a result? Research and report the estimated costs associated with this breach. Has the theft resulted in additional security issues for the individuals who had their data stolen?
- As individuals or in groups assigned by your instructor, search online for recent reports on information security breaches. Come to class prepared to discuss the breach, its potential impact, and how it might have been avoided. What should the key takeaways be for managers studying your example?
- Think of firms that you’ve done business with online. Search to see if these firms have experienced security breaches in the past. What have you found out? Does this change your attitude about dealing with the firm? Why or why not?
- What factors were responsible for the TJX breach? Who was responsible for the breach? How do you think the firm should have responded?